Workday AI Under the EU AI Act: High-Risk HR Features and What Deployers Must Do
Workday recruiting and performance AI are high-risk under Annex III point 4. Art 26(6) logs, Art 26(7) worker notice required. Deadline: 2 December 2027.
Workday is one of the most widely deployed HR systems in the EU. Most of its AI features are also among the most legally significant under Regulation (EU) 2024/1689 — not because of their sophistication, but because of what they touch. Candidate screening, performance ratings, promotion recommendations, and termination-scenario modelling sit directly inside Annex III, point 4 of the EU AI Act. That makes them high-risk by default.
This article tells you which Workday AI features trigger that classification, what your obligations are as the employer deploying them, and where the hard legal lines sit — including one prohibition that is already in force.
Which Workday AI Features Are High-Risk?
Annex III, point 4 lists four sub-categories of employment AI that carry high-risk status:
- 4(a) — Recruitment and selection: AI used to advertise vacancies, screen or filter applications, or evaluate candidates during hiring or promotion procedures.
- 4(b) — In-employment decisions: AI that influences decisions about promotion, termination, task allocation, or monitoring and evaluating performance.
The classification does not require that the system make the decision autonomously. If the AI output — a ranked shortlist, a performance score, a flag — substantially influences what an HR manager then decides, the system is high-risk. Recital 37 makes this explicit.
Here is how the principal Workday AI modules map:
| Workday Feature | Annex III Point | High-Risk? |
|---|---|---|
| Recruiting — AI candidate ranking / resume screening | 4(a) | Yes |
| Recruiting — interview question generation (AI-generated suggestions only) | — | No (procedural support, no influence on selection) |
| Performance — algorithmic performance rating suggestions | 4(b) | Yes |
| Succession Planning — AI promotion candidate lists | 4(a) | Yes |
| Skills Cloud — AI-generated skills inference and gap mapping (used for task allocation) | 4(b) | Yes |
| Workforce Planning — headcount reduction scenario modelling (identifying specific individuals) | 4(b) | Yes, where used to identify named employees |
| Compensation — salary benchmarking analytics (descriptive) | — | No (informational, no automated decision) |
| People Analytics — workforce trend dashboards (aggregate) | — | Likely no (no profiling of individuals) |
The Article 6(3) exemption can take a system out of high-risk status if it performs only a narrow procedural task, improves a previously completed human activity, or detects patterns without influencing human assessment. But any system that profiles natural persons is always high-risk, regardless. Most of the Workday features listed above profile individuals — they produce scores, ranks, or recommendations about specific people — so the Article 6(3) exit rarely applies here.
One Prohibition Already In Force
Before reaching high-risk obligations, check this: Article 5(1)(f) prohibits AI systems that infer emotions in the workplace. This prohibition has been in force since 2 February 2025. It is not high-risk — it is banned outright.
Any Workday feature (or third-party integration with Workday) that attempts to infer emotional or psychological states from video, audio, facial expressions, or biometric signals during interviews, performance reviews, or working hours is prohibited. The fine ceiling for breaching Article 5 is €35 million or 7% of worldwide annual turnover under Article 99(3), whichever is higher. No conformity assessment, no transitional period, no grace clause. If such a feature is live, it must be turned off now.
Your Role: Deployer, Not Provider
Workday is the provider under Article 16. It places the system on the market under its own name and carries the obligations that go with that: technical documentation under Article 11 and Annex IV, a conformity assessment under Article 43 before market placement, registration in the EU database under Article 49, and a quality management system under Article 17. These are Workday's responsibilities, not yours.
Your organisation, as the employer switching on and using these features, is a deployer under Article 26. That is a meaningfully lighter obligation set — but it is not trivial.
One exception applies: if your IT team substantially modifies Workday's AI model or repurposes it for a use outside its original intended purpose, Article 25 converts you into a provider. At that point you inherit the full Article 16 obligation stack. This situation is uncommon with standard Workday deployments, but it can arise if you fine-tune Workday's models on your own hiring data in ways that materially change how the system operates.
Article 26 Deployer Obligations
As a deployer of a high-risk Workday HR system, your obligations under Article 26 are:
Follow Workday's instructions. Article 26 requires you to use the system in accordance with the instructions for use that Workday provides. Do not reconfigure the system in ways that circumvent documented guardrails.
Ensure human oversight. Article 26 requires that you implement the human oversight measures specified in the system's documentation. This is the operationally demanding part.
Monitor for risks. Article 26 requires you to monitor the system for risks throughout its lifecycle and inform Workday (and, where required, the relevant market-surveillance authority) of any serious incidents or malfunctions.
Keep logs for at least six months. Article 26 requires deployers to keep the automatically generated logs of the system's operation for at least six months, unless EU or national law requires longer retention. These logs are what an authority will request in an enforcement investigation.
Inform workers' representatives and affected employees before deployment. Article 26 is the most overlooked deployer obligation. Before deploying a high-risk AI system in the workplace, you must inform workers' representatives and the affected employees. This is not a soft consultation recommendation — it is a legal requirement. It applies to all covered employment AI features: recruiting, performance, succession, skills allocation. Failure here exposes the deployer directly.
Assign a human reviewer with authority to override. Article 14 requires that a natural person with the appropriate competence and authority can understand and override the system's outputs. For Workday HR AI, this means HR managers must receive the AI's explanation, must genuinely review it, and must be able to select a different candidate, rating, or recommendation without system obstruction. Log overrides — they demonstrate oversight is real, not theatrical.
What Workday Must Provide (and What You Should Verify)
Because Workday carries the conformity assessment and documentation obligations, your due-diligence task is to verify that Workday has done its part:
- Conformity assessment under Article 43. For Annex III employment AI, the applicable route is typically the internal control procedure (Annex VI), performed by the provider. Ask Workday for confirmation that conformity assessment for these specific modules has been completed.
- EU Declaration of Conformity under Article 47 and, once the registry is live, registration under Article 49.
- Article 11 / Annex IV technical documentation. Workday must be able to provide documentation covering the system's design, data sources, performance metrics (including demographic subgroup testing), known risks, and intended use. You will need elements of this to assemble your own internal compliance file.
- Article 13 instructions for use. Workday is required to provide deployers with sufficient information to comply with their Article 26 obligations. If those instructions are thin, unclear, or absent, that is a red flag — and a gap you must close before deployment.
The compliance deadline for these high-risk system obligations is 2 December 2027 for stand-alone systems under Annex III, under the Digital Omnibus political agreement reached in May 2026 (which deferred the original 2 August 2026 date). The deadline for Annex I product-embedded AI is 2 August 2028. December 2027 is the date that matters for Workday HR AI.
That sounds like breathing room. It is not. Article 26 worker notification, Article 26 log retention, and Article 5(1)(f) emotion-recognition prohibition are all in force now or from 2 February 2025. Documenting your compliance file — internal risk assessment, human oversight procedures, log retention configuration — takes months.
Risk Management and Human Oversight in Practice
You cannot outsource Article 26 compliance entirely to Workday. There is an internal compliance file your organisation must build and maintain:
Internal risk assessment. Document which Workday AI modules you have activated, which employment decisions they influence, and what residual risks they carry in your specific context (workforce composition, geographical deployment, protected-characteristic distribution in your candidate and employee populations). This does not need to be an elaborate document, but it needs to exist.
Bias and discrimination controls. Workday AI systems trained on historical hiring and performance data can encode past discrimination. Before go-live, review Workday's demographic subgroup testing results. If Workday cannot provide disaggregated accuracy data (performance by gender, age, and protected characteristics), that is a gap in the Article 13 information and you should treat the feature as unverified. Internally, monitor hiring and promotion outcomes quarterly.
Human oversight that is genuine, not procedural. Article 14(4) requires that persons responsible for oversight understand what the system can and cannot do. Annual training on AI limitations and bias risks is the minimum. Build this into your HR onboarding for any manager using Workday AI tools.
Log configuration. Check whether Workday's default logging settings meet the Article 26 minimum of six months. If the system does not log AI recommendation events automatically, configure it to do so or implement a compensating control (structured human-review records).
GDPR Article 22 and the Overlap
GDPR Article 22 restricts solely automated decisions that produce legal or similarly significant effects. A hiring rejection based purely on an AI ranking — with no genuine human review — could fall within Article 22's scope and require either explicit consent, a contractual basis, or the ability for the data subject to request human review.
In practice, the EU AI Act's Article 14 human oversight requirement and GDPR Article 22's restriction point in the same direction: meaningful human review, not rubber-stamping. Build one review process that satisfies both. Your Data Protection Officer should sign off on how the two obligations are coordinated, and a GDPR Data Protection Impact Assessment (DPIA) under GDPR Article 35 is advisable for high-impact automated processing.
The Fundamental Rights Impact Assessment (FRIA) under Article 27 of the EU AI Act is a separate instrument. It applies to public-body deployers and — for specific use cases — to deployers of creditworthiness and life/health insurance AI (Annex III points 5(b) and 5(c)). Private employers deploying employment AI are not automatically required to run an Article 27 FRIA. Do not conflate it with the GDPR DPIA, and do not assume you owe one.
Penalties
Non-compliance with deployer obligations under Article 26 — including the failure to keep logs, to notify workers before deployment, or to implement genuine human oversight — falls under Article 99(4): fines of up to €15 million or 3% of total worldwide annual turnover, whichever is higher.
Breach of the Article 5(1)(f) emotion-recognition prohibition is the top tier: €35 million or 7% under Article 99(3).
For companies with €500 million in worldwide turnover, the 3% figure (€15 million) and the 7% figure (€35 million) are the binding ceiling. For smaller companies, the fixed sum is typically the ceiling — and the SME cap under Article 99(6) means the lower of the two applies. That proportionality provision is real, but it does not reduce the obligation; it caps the fine if you are found non-compliant.
How Confir Helps
The first step for any Workday deployer is classification: confirming which features are high-risk under Article 6 and Annex III, and which fall outside that scope. Confir's rule-based classification engine walks through the Annex III logic via plain-English questions and derives a definitive risk tier and role determination — Provider, Deployer, or a mix — without ambiguity.
For your high-risk features, Confir then runs the structured assessment: Article 26 deployer duties (Art 26(6) log retention, Art 26(7) worker notification status), Article 14 human oversight adequacy, and — where Workday's Article 13 instructions are incomplete — the gaps you need to close. The full assessment typically completes in under two hours. Output is a compliance file and audit-ready record you can present to an authority, a works council, or your own board.
Frequently Asked Questions
Is every Workday AI feature high-risk under the EU AI Act?
No. High-risk classification under Article 6 and Annex III, point 4 applies to features that influence recruitment, selection, promotion, termination, performance evaluation, or task allocation decisions for specific individuals. Generic analytics, aggregate workforce trend dashboards, and tools that support human review without producing individual scores or ranks generally fall outside the high-risk category. Classify each feature separately before deciding what compliance infrastructure it requires.
Workday runs the AI model — why does our organisation owe any obligations?
Workday, as the provider under Article 16, carries the conformity assessment, technical documentation, and registration duties. But Article 26 assigns a distinct and non-delegable set of obligations to the deployer — the organisation that switches the system on and uses it in its operations. Those obligations include six-month log retention (Art 26(6)), pre-deployment notification to workers' representatives and affected employees (Art 26(7)), and ensuring genuine human oversight under Article 14. You cannot outsource these to Workday.
We are legally required to inform our employees before deploying Workday AI for HR decisions — is that right?
Yes. Article 26 requires deployers of high-risk AI systems in workplace settings to inform workers' representatives and the affected workers before deployment. This is a statutory obligation that applies regardless of what national employment law or works council agreements already require (though those may impose additional consultation duties on top). Build this notification into your change management process, not as an afterthought.
Does our company need to run a Fundamental Rights Impact Assessment for Workday HR AI?
Generally, no — if you are a private employer. Article 27 FRIAs are mandatory for public-body deployers and, for specific use cases, for deployers of creditworthiness and life/health insurance AI (Annex III 5(b) and 5(c)). Private employers deploying employment AI under Annex III point 4 are not automatically required to run a FRIA. You do, however, owe a GDPR DPIA (Article 35 GDPR) if the processing is likely to result in a high risk to individuals — which most automated HR processing is.
Is emotion recognition in Workday interviews or performance reviews banned?
Yes. Article 5(1)(f) prohibits AI systems that infer or recognise emotions in workplace and educational settings. This prohibition has been in force since 2 February 2025. It applies to any Workday feature — or third-party module integrated with Workday — that analyses facial expressions, voice tone, physiological signals, or similar inputs to classify emotional or psychological states. Non-compliance carries fines of up to €35 million or 7% of worldwide annual turnover under Article 99(3). If any such feature is currently active, it must be disabled immediately.
What is the compliance deadline for Workday's high-risk HR AI features?
Under the Digital Omnibus agreement reached in May 2026, the deadline for stand-alone high-risk AI systems under Annex III — which includes all employment AI features listed in point 4 — is 2 December 2027. The original date of 2 August 2026 has been deferred. However, Article 26 worker notification and Article 26 log retention apply from the date of deployment, and the Article 5(1)(f) emotion-recognition prohibition has been in force since 2 February 2025. December 2027 is not a start date for compliance — it is the deadline for completing it.
How do we confirm Workday has completed its conformity assessment obligations?
Ask Workday directly for the Article 47 Declaration of Conformity for each AI module you are activating, and for the Article 13 instructions for use that confirm the intended purpose and known limitations. When the EU database under Article 49 is operational, check Workday's registration entry there. If Workday cannot provide these documents for a feature you are considering deploying, delay activation until they can — deploying a system whose provider has not completed conformity assessment increases your own exposure under Article 26.
Related guides
- Article 6 risk classification tool
- Article 9 risk management implementation
- high-risk AI classification framework
- AI policy management software
- 2026 implementation roadmap
- Articles 6–29 compliance checklist
Manage your EU AI Act compliance in one place
Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.
Start free trial →